spfsender policy framework

From OpenSPF Note: http://www.openspf.org/ is a good reference source for SPF

Domains use public records (DNS) to direct requests for different services (web, email, etc.) to the machines that perform those services◦ All domains already publish email (MX) records to tell the

world what machines receive mail for the domain SPF works by domains publishing "reverse MX" records

to tell the world what machines send mail from the domain◦ When receiving a message from a domain

Recipient can check those records to make sure mail is coming from where it should be coming from

With SPF, those "reverse MX" records are easy to publish: ◦ One line in DNS is all it takes

Explain how SPF works in 1 minutehttp://www.openspf.org/FAQ/How_does_it_work

Spammer forges a hotmail.com address◦ Tries to spam you◦ They connect from somewhere other than Hotmail

When the message is sent, you see:◦ MAIL FROM: forged_address@hotmail.com

Don't have to take his word for it Ask Hotmail if the IP address comes from their network

(In this example) Hotmail publishes an SPF record◦ That record tells you (your computer) how to find out if the sending

machine is allowed to send mail from Hotmail If Hotmail says they recognize the sending machine

◦ It passes You can assume the sender is who they say they are

◦ If the message fails SPF tests It's a forgery

◦ That's how you can tell it's probably a spammer.

What does SPF actually DO?http://www.openspf.org/FAQ/What_it_does

Client validation system Verifies envelope sender is permitted to

send mail on behalf of the domain◦ In practice, only verifies IP address

Aims to prevent rogue mail servers SPF provides no information about the

contents of an email

sender policy framework

SPF is stored in DNS An SPF record type is available

◦ Its use is not widespread Using a TXT record is more common

how spf works

An SPF record designates permitted and rejected sender(s) for a domain

Mail from a non-permitted sender may be safely rejected

how spf works

SPF evaluation performed on two pieces of information◦ Client email address◦ Client IP address

Client email is retrieved or derived from◦ Envelope sender (MAIL FROM)◦ HELO/EHLO host name

what spf checks

Evaluation is always performed on envelope sender

Evaluation should be performed twice if envelope sender and HELO domains differ◦ The RFC is unclear on how to merge the results of

the evaluations◦ Likely that the ‘best’ outcome is accepted

what spf checks

Always start with ‘v=spf1’ Read left-to right Evaluation stops when a mechanism is

matched Last element of a SPF record should always

be an ‘all’ or a ‘redirect’ If no mechanisms are matched, the result

returned is ‘Neutral’

reading spf records(spf or txt record)

3 example spf records

gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com"

_spf.google.com. 107 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all”

hotmail.com. 3600 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all“

ALL ◦ Matches anything

A ◦ Matches if client IP matches one of the IP

addresses of the named domain◦ Performs DNS lookup on named domain

Looks for A record if client IP is IPv4 AAAA if client IP is IPv6

spf mechanisms

IP4, IP6◦ Matches if client IP is in the named netblock◦ Variants for IPv4 and IPv6◦ Netblock must in CIDR format

e.g. 172.16.1.0/24

spf mechanisms

MX◦ Matches if client IP is one of the servers in the MX

records of the named domain PTR

◦ Matches if PTR record for client IP exists and maps to a host in the named domain

spf mechanisms

EXISTS◦ Matches if the named domain exists◦ Can be used to emulate DNS blacklists◦ e.g.

‘v=spf1 -exists:%{ir}.zen.spamhaus.org’

spf mechanisms

INCLUDE◦ Matches if the result of the referenced policy was

PASS◦ Name is poorly chosen

spf mechanisms

“+” Pass◦ Client is permitted to send mail for the domain◦ Pass is implied if the qualifier is omitted

“–” Fail◦ Client is not authorized to send mail for the

domain

spf qualifiers

“~” SoftFail◦ Client should not send mail for the domain◦ Mail should not be blocked solely on a SoftFail◦ Result can be used by spam filtering software

“?” Neutral◦ No assertion on if client is authorized◦ Must be treated same as if there were no SPF

record

spf qualifiers

SPF modifiers◦ Provide additional information◦ Do not directly affect the evaluation of SPF

records

spf modifiers

redirect◦ Redirect to a different SPF record◦ Replaces result of this SPF record◦ Should always be last element of a SPF record

spf modifiers

exp◦ Provides an explanation of why SPF validation

failed to the client◦ The TXT record is looked up at named domain and

its contents is used as the explanation◦ SPF macros can be used to make the explanation

more informative

spf modifiers

A number of macros are available in SPF records

Macros are expanded during SPF evaluation

◦ s = client email address◦ l = local part of client email address◦ o = domain of client email address

selected spf macros

d = client domain name i = client IP address v is

◦ "in-addr" - if client IP is IPv4 ◦ "ip6" - if client IP is IPv6

Used to construct PTR addresses e.g.

%{ir}.%{v}.arpa

selected spf macros

r - reverse macro, splitting on ‘.’ by default◦ e.g.

%{ir} will reverse an IP address 0-128 - number of delimited components to

keep e.g.

◦ if d is ‘www.example.com’ ◦ %{d2} is ‘example.com’

spf macro transformers

Allows you to specify a delimiter to be replaced with periods◦ Available delimiters are in the set

.-+,/_=◦ e.g.

if l is ‘jwatso8+foo’ %{l+} is ‘jwatso8.foo’

spf macro delimiters

example spf records

gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com"

_spf.google.com. 107 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all”

hotmail.com. 3600 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all“

SMTP servers should add a ‘Received-SPF’ header to any E-Mail where a SPF record was checked

The Received-SPF header should contain the result of the SPF check

spf header

Example spf headersReceived-SPF: Pass (mybox.example.org: domain ofmyname@example.com designates 192.0.2.1 as permitted sender)receiver=mybox.example.org; client-ip=192.0.2.1;envelope-from=<myname@example.com>; helo=foo.example.com;

Received-SPF: Fail (mybox.example.org: domain ofmyname@example.com does not designate192.0.2.1 as permitted sender)identity=mailfrom; client-ip=192.0.2.1;envelope-from=<myname@example.com>;

Only works if everyone uses it Only prevents mail from unauthorized hosts

◦ Even then only if servers check it Does not verify the sender, only their

domain Does not verify the contents of a message SPAM can (and will) still find a way

spf limitations